Computer network security is typically of paramount importance to network operators to ensure that only authorized users are able to access network resources such as services, applications, files, data, and the like.
In many networks, the number of users authorized to access different network resources may run from a single user up to multiple millions of users.
Over time, some users may have their authorization or entitlement to access network resources withdrawn, for example when an employee leaves a company, and new users may be authorized to access network resources, for example when a person starts employment with a company. Different users may also have authorization to access different network resources within a network.
The details of which users are entitled to access which network resources are typically distributed around the network at various end-points. End-points may include, for example, directories, data stores, databases, applications, and devices within the network and are used by security systems protecting network resources to control access to those resources.
The end-points are typically provisioned with user details of the users authorized to access different network resources. An initial provisioning step is performed using one or more user data sets provided from various network systems (not shown), for example, such as human resources databases, customer databases, and the like. User details may include, for example, user identifiers, passwords, user email addresses, user telephone numbers, and other user-related data.
However, such an approach becomes complex and unwieldy to manage when the number of users is large.